суббота, 4 августа 2012 г.

MsgHookLister

Very cool tool to show windows hooks - with source code !
It seems that it using dbghelp.dll to download win32k.pdb and extract following symbols:
  • ValidateHwnd
  • gpresUser
  • UserGetAtomName - why not NtUserGetAtomName ?
  • aatomSysLoaded
  • grpWinStaList
I already described how to get aatomSysLoaded. It seems that most hard part is how to find grpWinStaList

It seems that grpWinStaList (and gpresUser too) can be extracted from function NtUserTestForInteractiveUser (code ripped from w8 release preview):
    push 14h
    push offset unk_2F5528
    call __SEH_prolog4
    push _gpresUser
    call ds:__imp__ExEnterPriorityRegionAndAcquireResourceShared@4
    xor ebx, ebx
    mov [ebp-4], ebx
    mov esi, [ebp+8]
    mov eax, _W32UserProbeAddress
    cmp esi, eax
    jb  short loc_1F8852
    mov esi, eax
loc_1F8852:
    lea edi, [ebp-24h]
    movsd
    movsd
    mov dword ptr [ebp-4], 0FFFFFFFEh
    mov ecx, _grpWinStaList
    mov eax, [ebp-24h]
    cmp eax, [ecx+50h]

Комментариев нет:

Отправить комментарий